October « 2010 « Psoenen's Blog

Archive for October 2010

Cloud computing : Governance and security?

The promise of the Cloud

Cloud computing is a on-demand service model for IT provision, often based on virtualisation and distributed computing technologies.

The attractiveness of Cloud Computing

By moving IT services to the Cloud, enterprises can take advantage of using services in an on demand-model. The infrastructure costs are reduced and services are paid on an subscription or pay-per-use basis. The Cloud offers a way to extend IT’s existing capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software.

The Cloud service delivery models

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

1. SaaS – Software as a Service

SaaS delivers provider’s applications through the browser to thousands of customers using a multitenant architecture, i.e. a single instance of the software runs on a server, serving multiple client organisations. The service providers maintain and govern the software, data, and underlying infrastructure. Examples include online word processing and spreadsheet tools, CRM services and web content delivery services.

Sample offerings are Salesforce CRM, Google Docs, etc.

2. PaaS – Platform as a Service

PaaS offers the capability to deploy on the cloud infrastructure customer-created or acquired applications using tools supported by the provider. The service providers maintain and govern the application environments, server instances, as well as the underlying infrastructure.

Examples are Microsoft Azure, Force and Google App engine.

3. IaaS – Infrastructure as a Service

IaaS offers the ability to deploy operating systems and applications on computing resources (processing, storage and networks) provided by a third party. The customers deploy and manage assets, including operating systems and applications, on leased or rented server instances, while the service providers own and govern the underlying infrastructure.

Examples include Amazon EC2 and S3, Terremark Enterprise Cloud, Windows Live Skydrive and Rackspace Cloud.

Cloud Computing Deployment Models

There are three primary cloud deployment models and a hybrid model:

Deployment Model	Description of the Cloud Infrastructure
Private Cloud	An internal cloud emulates cloud computing on private networks: Operated solely for an organisation; May be managed by the organisation or a third party; May exist on-premise or off-premise; End-to-end control; Dedicated resources.
Community Cloud	A community cloud may be established where several organisations have similar requirements and seek to share infrastructure so as to realise benefits of cloud computing: Shared by several organisations; Supports a specific community that has shared mission or interest; May be managed by the organisations or a third party; May reside on-premise or off-premise.
Public Cloud	External or multi-tenant cloud describes the cloud computing in the traditional mainstream sense, whereby resources are dynamically provisioned over the Internet, via web services: Made available to the general public or a large industry group; Owned by an organisation selling cloud services; Common policies; Shared resources and multi-tenant .
Hybrid Cloud	A composition of two or more clouds (private, community or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability.

Benefits

Although financial savings may be attractive, the real opportunities are to streamline the business processes and to increase the innovation. Instead of managing and scaling infrastructures, the organisations can focus on their core business.

Key benefits	Description
Cost	The cloud offers enterprises the option of scalability without the serious financial commitments required for infrastructure purchase and maintenance. The upfront capital expenditure with cloud services is low. Services and storage are available on demand and are priced as a pay-as-you-go service.
Immediacy	The provision and utilisation of services may be achieved in days compared to the weeks or months required for traditional IT projects.
Availability	Cloud providers have the infrastructure and bandwidth to accommodate business requirements for high speed access, storage and applications.
Scalability	Cloud services offer increased flexibility and scalability for evolving IT needs. Provisioning and implementation are done on demand, allowing for traffic spikes.
Business focus	The reallocation of information management operational activities to the cloud offers businesses a unique opportunity to focus efforts on innovation and research and development.
Resiliency	Cloud providers have mirrored solutions that can be utilised in a disaster scenario as well as for load-balancing traffic.
Mobility	Employees can access information wherever they are, rather than having to remain at their desks.

Governance and security

Security in the Cloud ?

When switching to the cloud, the creation of a security plan should be a first consideration. Security breaches can be the direct cause of service interruptions and can contribute to lower service levels. Also, data theft resulting from a security breach could result in a real or perceived breach of customers’ trust in your organisation.

The customers should make buying their choices on the basis of the reputation for confidentiality, integrity and resilience, and the security services offered by a provider. This will drive the cloud providers to improve their security practices and also compete on security.

The following table gives an overview of the major control objectives and highlight some potential risks and issues related to the use of cloud solutions.

Criteria	Objectives	Risks and issues
Governance	Governance functions are established to ensure effective and sustainable management processes that result in transparency of business decisions, clear lines of responsibility, information security in alignment with regulatory and customer organisation standards and accountability.	How to govern the cloud: which management and monitoring processes should be implemented, which roles and responsibilities, which KPI’s?
Risk management	Risk management procedures are implemented to evaluate inherent risks within the cloud computing model, identify appropriate control mechanisms, and ensure that residual risk is within acceptable levels. The information risk management is integrated into the organisations Enterprise Risk Management (ERM) framework.	How to govern and manage enterprise risk: how can the user assess risks of a cloud provider?
Compliance	Contractual obligations: Establish agreements and procedures to ensure contractual obligations are satisfied, and these obligations address the compliance requirements. The use of cloud computing should not violate customer compliance agreements.	What is the legal, financial and information security in the contractual agreements?
	Legal issues relating to financial, jurisdictional and contractual requirements are addressed to protect both parties.	Regulatory and legislative compliance: how will the cloud affect your ability to comply with regulatory requirements such as SOX, GLBA, HPPA, PCI?
	The storage of personal data in the cloud should be compliant with the data privacy regulations.	Disclosure laws: Physical location dictates jurisdiction and legal obligation. Country laws governing personally identifiable information (PII) vary greatly.
	The right to audit is clearly defined and satisfies the assurance requirements of the customer’s board of directors, audit charter, external auditors and any regulators jurisdiction over the customer	Auditability: who can investigate data?
		If a legal investigation is required, namely because of illegal activity, can the provider support the customer to do the investigation?
Application requirements	For SaaS implementations, the applications should contain the appropriate functionality and processing controls required by the business.	Do the applications satisfy the functional, financial and operational requirements?
Application requirements		Do the applications contain the processing controls required by the control policies?
Asset management	Applications are developed with an understanding of the interdependencies inherent in cloud applications, based on risk analysis and design of configuration management and provisioning process that will withstand changing application architectures.	Difficulty to integrate multiple applications, namely with in-house IT
Asset management	Planning for migration of data is required to reduce operational and financial risks at the end of contract.	Provider dependency: loss of control over systems and eventually data; how to ensure data portability and interoperability?
Service management	Ensure that services provided by third parties meet business requirements through effective third-party management processes.	Does the service provider align its operations with the customer service requirements?
Confidentiality	Data are securely transmitted and maintained to prevent unauthorised access and modification.	User access: how is data access ensured and controlled; who at the provider has access to data?
	Data are securely protected against unauthorised access, eventually through encryption, and separation of duties exists between key managers and the hosting organisation.	Data segregation: how to ensure that customers and competition don’t access data? How to ensure intrusion detection?
	The customers remains the only owner of his data.	Data ownership: who owns the data in the cloud?
Integrity	Identity processes assure only authorised users and processes has access to the data and the resources, user activities can be audited and the customer has control over access management.	Data corruption: who can modify the data?
Integrity	Cross-contamination with other customer environments has to be avoided.	How to prevent against malware and security vulnerabilities?
Availability	An effective continuous service process minimises the probability and impact of a major IT service interruption on key business functions and processes.	Service reliability: What about the availability issues of Internet connectivity or system outages?
		Long term viability: And what in case the provider fails?
		Recovery: Is data safeguarded?
Incident management	Incident notifications, responses, remediation are documented, address the risk, are escalated as necessary and are formally closed.	Are incident detection, response, notification and remediation adequately managed?

Governance

A port of the cost savings must be invested into increased scrutiny of the security capabilities of the provider, the application of security controls and ongoing detailed assessments and audits, to ensure requirements are continuously met.

Organisations should view cloud services and security as supply chain security issues. This means examining and assessing the provider’s supply chain (service provider relationships and dependencies), to the extent possible.

Information security governance should rely on cooperation between customers and providers to achieve agreed-upon goals which support the business mission and the information security requirements. The service model should adjust the defined roles and responsibilities in collaborative information security governance and risk management, while the deployment model should define the accountabilities and expectations.

User organisations should include review of specific information security governance structures and processes, as well as specific security controls, as part of their due diligence for prospective provider organisations. The provider’s security governance processes and capabilities should be assessed for sufficiency, maturity, and consistency with the user’s information security management processes. The assessment of the provider’s information security, risk management and compliance structures and processes should cover:

Request clear documentation on how the facility and services are assessed for risk and audited for control weaknesses, the frequency of assessments, and how control weaknesses are mitigated in a timely manner.
Require definition of what the provider considers critical service and information security success factors, key performance indicators, and how these are measured relative to IT Service and Information Security Management.
Review the provider’s legal, regulatory, industry, and contractual requirements capture, assessment, and communication processes for comprehensiveness.
Perform full contract or terms-of-use due diligence to determine roles, responsibilities, and accountability. Ensure legal review, including an assessment of the enforceability of local contract provisions and laws in foreign or out-of-state jurisdictions.
Determine whether due diligence requirements encompass all material aspects of the cloud provider relationship, such as the provider’s financial condition, reputation (e.g., reference checks), controls, key personnel, disaster recovery plans and tests, insurance, communications capabilities, and use of subcontractors.

The Service Level Agreement (SLA) is one of the most effective tools the organisation can use to ensure adequate protection of information entrusted to the cloud. The customers can specify which control frameworks will be utilised and describe the expectation of an external, third-party audit. Clear expectations regarding the handling, usage, storage and availability of information must be articulated in the SLA. Additionally, requirements for business continuity and disaster recovery should also be communicated in the agreement.

Metrics and standards for measuring performance and effectiveness of information security management should be established prior to moving into the cloud. Security metrics and standards, especially those relating to legal and compliance requirements, should be included in any Service Level Agreements and contracts.

The use of standards and frameworks will help businesses gain assurance around their cloud computing supplier’s internal controls and security. These standards and metrics should be documented, demonstrable and auditable.

Patrick Soenen | p.soenen[at]qap.eu ♦ Jean-Pierre Palante | jp.palante[at]qap.eu

Written by psoenen

October 1, 2010 at 10:36 pm

Posted in Cloud, Governance, Security, Uncategorized

Protecting the privacy of personal information

What is privacy

The American Institute of Certified Public Accountants (AICPA) defines privacy as “the rights and obligations of individuals and organisations with respect to the collection, use, disclosure, and retention of personal information”.

The European Data Directive 95/46/EC requests that “Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.” .

In today’s business context, privacy often refers to the privacy of personal information about an individual and the individual’s ability to:

Know how his or her personal information is handled;
Control the information collected;
Control what the information is used for;
Control who has access to the information;
Amend, change, and delete the information.

Personal information

Personal information is data that can be linked to or used to identify an individual either directly or indirectly. Examples of personal information are:

Person’s name;
Home address;
Pictures;
Telephone numbers (even a professional telephone number);
Identifiers such as Social Security, social insurance, passport, or account numbers;
Bank account numbers;
e-mail addresses;
Fingerprints;
Physical characteristics;
Credit records;
Consumer purchase history;
Employee files.

Sensitive information

Sensitive personal information requires an extra level of protection and a higher duty of care:

Medical records;
Financial information;
Racial or ethnic origin;
Political opinions;
Religious or philosophical beliefs;
Trade union membership;
Information related to offenses or criminal.

Non-personal information

Anonymised information about people cannot be associated with specific individuals. This includes statistical or summarised personal information for which the identity of the individual is unknown or linkage to the individual has been removed.

The benefits of good privacy management

Good privacy governance involves identifying significant risks to the organisation, such as a potential misuse, leak, or loss of personal information. It also implies ensuring appropriate controls are in place to mitigate the privacy risks.

For businesses, the benefits of good privacy controls include:

Protecting the organisation’s public image and brand;
Protecting valuable data on the organisation’s customers and employees;
Complying with applicable privacy laws and regulations;
Enhancing credibility and promoting confidence.

For public-sector and non-profit organisations, the additional benefits of good privacy controls include:

Maintaining trust with citizens and noncitizens;
Sustaining relationships with donors of non-profit organisations by respecting the privacy of their activities.

The Privacy Challenge

QAP Data Privacy Normally organisations recognise the need for implementing good privacy practices. However, the challenge is sustaining the privacy program. With the proliferation of data management technology, organisations have difficulty identifying where this data is stored, how it is protected, who has access to it, and how it is securely disposed. In addition, accountability and responsibility for maintaining the privacy practices is not always clearly assigned within the organisation.

Privacy regulations

Multiple regulations have been developed by various countries and organisations.

Year	Regulation
1980	The OECD Council’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data was created to establish a common ground for free transborder data flow among the 24 OECD members
1984/1998	The UK Data Protection Acts
1990	The UN General Assembly issued its human rights based Guidelines Concerning Computerised Personal Data Files, which member states should take into account when implementing national data protection legislation
1995	The European Data Protection Directive 95/46/CE, on the Protection of Individuals with Regard to the Processing of Personal Data, has been translated in Belgian law
1996	The Canadian Standards Association Model Code for the Protection of Personal Information, now incorporated into national law (PIPEDA)
1997	The European Distance selling Directive 97/7/CE
1997	The Framework Data Protection Directive 97/66/CE, protecting privacy in telecommunications
2000	Standards Australia has developed AS 2805.9-2000: Electronic Funds Transfer – Privacy of Communications, which specifies methods of protecting from disclosure the information contained in electronic messages
2002	The European ePrivacy Directive 2002/58/CE, establishing rules for online marketing
2004	The APEC Privacy Framework (consistent with the core values of the OECD guidelines) was developed and intended to provide guidance and direction to businesses in APEC economies on common privacy issues and the impact these issues have on the way businesses are conducted
2006	The European Data Retention Directive 2006/24/CE, extending data privacy to Internet and e-Mail

The Commission for the Protection of Privacy (CPP)

The Commission for the Protection of Privacy (CPP), known as Belgian Privacy Commission, is an independent authority ensuring the protection of privacy during the processing of personal data. The Commission recognises the information society’s need to collect and process personal data for societal and economic developments and compares societal and economic needs with this fundamental right in order to come to decisions and privacy safeguards reconciling both elements. The Commission realises that any personal data processing operation implies risks for privacy protection. It consequently stresses the importance of informing data subjects as well as processors about these risks, and of integrating safeguards, particularly relating to information security. Moreover, it focuses on the importance of the use of technologies in personal data processing for more well-being and welfare for citizens in our current society.

Processing of privacy data

Personal data

A data processing operation starts with the collection of data. Before the data is collected, however, the controller has to notify the processing to the Commission. The data has to be collected fairly and therefore transparently. The controller collecting personal data has to inform the person about the processing. The controller has to:

clarify why he wishes to obtain your personal data;
transmit his contact details to you;
let you know who your data will be disclosed to;
inform you about your right to access and rectify your data;
mention that you may object free of charge to the use of your data for direct marketing, e.g. commercial actions.

Sensitive data

Some data are so delicate that they may only be processed in specific cases. Sensitive data covers race, health, political opinions, philosophical beliefs (religious or atheist, etc.), sexual preferences or judicial past. The Privacy Law most strictly regulates registration and use of those data.

The controller may process sensitive data relating to you (except for judicial data) if:

he has the person’s consent in writing;
if it is needed to provide the person with a necessary treatment;
it is compulsory under employment law.

Controller’s data commitments

The controller has to ensure:

the good quality of the data, in other words the data has to be precise;
the confidentiality of the data. He must ensure that not just anybody can access and disclose the data;
the security of the data. He must ensure that the data is not lost or stolen. The more sensitive the data, the higher the level of security has to be;
that he does not keep the data any longer than necessary to achieve his purpose. At the end of the processing operation, he therefore has to delete the data.

Privacy control framework

Basic privacy control framework activities include setting objectives, establishing policies and procedures, and establishing monitoring and improvement mechanisms. Many organisations use control frameworks such as COSO (The Committee of Sponsoring Organisations of the Treadway Commission’s 1992 Internal Control — Integrated Framework) or its 2004 ERM (Enterprise Risk Management — Integrated Framework) enhancement.

Qualified Audit Partners’ governance risk management framework can be applied to privacy management and control:

Principle	Description
Context	The privacy culture and tone of an organisation, closely linked with its customer and social responsibility, is critical for the internal privacy risk and control environment.The internal environment includes the privacy code, implicit and explicit privacy policies, and organisational privacy culture, as established and communicated by senior management, all of which have to be aligned with applicable laws and regulations.
Strategy	Management needs to establish an organisational mission and vision from which privacy objectives and privacy policy can be derived, directly or indirectly.
Risk	Identifying potential internal and external privacy threats is mainly part of periodic and ongoing operational and information technology risk assessment. Appropriate business processes, collection limitation, data security, contingency management, and data management measures mitigate privacy related risks.
Resources	Adequate resources ensure that organisational policies, procedures, and structures, such as data security, access controls, integrity and contingency controls, privacy reviews, a privacy or security officer, are carried out.
Communication	Stakeholders are made aware of the privacy issues and actins. Relevant information needs to be expedited timely to allow effective control.
Monitoring	A data register is maintained, requests to access personal information records are evaluated, and privacy audits are conducted. Privacy metrics and reporting on issues and their mitigation are developed.

Data privacy implementation

The implementation of a data privacy approach in the organisation is based on several steps:

Data has to be inventoried and classified according its sensitivity;
The information security attributes should be applied;
Privacy practices have to be implemented within the organisation.

Data inventory and classification

The organisation’s private data is one of the most vital corporate assets A corporate classification program for privacy-protected data will assist in prioritising the data. Assigning a sensitivity level, such as secret, confidential, proprietary or public, to data assists in evaluating the appropriateness of the controls over the technology and business processes that handle it.

Information security

The CPP commission requires information security to be checked against seven security attributes:

Confidentiality: only persons having authorisation can access the information;
Integrity: the information cannot be altered intentionally or unintentionally;
Availability: the information is accessible and usable whenever an authorised person has requested it;
Accountability: there is always a trace of the author and of how the information was edited;
Non-repudiation: proof that an operation or event actually took place, meaning that it cannot be denied now or at a later time;
Authenticity: it is certain that a person really is who he claims to be;
Reliability: the characteristic of achieving the expected result.

Implementation of privacy practices

To implement and manage an effective privacy program, the organisation should clearly define its privacy policies, communicate those policies, and document the procedures and controls relating to the collection, use, retention, and disclosure of personal information to ensure compliance with laws, regulations, and the organisation’s policies. Specific criteria that are relevant, objective, complete, and measurable should be established for evaluating each of the effectiveness of these practices.

The Commission for the Protection of Privacy (CPP) proposed the introduction of 10 security measures:

Measure	Description of the security measure
Security Policy	Any organisation processing personal data should draw up a security policy giving a precise description of security strategies and protection features selected for data security, consisting of: the risk management approach of personal data; the priorities set and the mechanisms introduced, as a result of the risk assessment; a planning for the policy’s taking effect; a description of the various responsibilities and organisational rules; a description of how to manage security incidents; a description of the awareness-raising process within the organisation; the measures to keep the security system up-to-date.
Security officer	Within the organisation a security officer must be appointed, who is to be in charge of the implementation of the security policy.Reporting directly to the organisation’s management, he shall ensure that the various responsibilities with regard to security have been clearly defined and that the persons in charge of security can operate autonomously and independently.
Security organisation	The organisation must clearly define the responsibilities and the management processes regarding personal data security and properly integrate them in its general organisational structure and functioning.The organisation should ensure hat information classification procedures are elaborated, so that an inventory can be drawn up and all personal data being processed can be localised. The persons participating in the processing of personal information should to be sufficiently and constantly informed, as well as adequately trained, about their duties and responsibilities during processing operations.
Physical security	The organisation should take the necessary measures to guarantee physical security of personal data.The organisation must also provide the necessary safeguards in order to avoid the loss or accidental modification of personal data, and ensure continuity of the business activities.
Network security	The organisation must make sure that the confidentiality and integrity of personal data are guaranteed if the equipment is connected to networks while processing the data.
Access security	The organisation must ensure that personal data, according to their classification, are only accessible to persons and application programmes explicitly having the necessary authorisations.
Audit trail	The organisation should implement logging and audit trail mechanisms.
Monitoring and auditing	The organisation must assure that the technical or organisational measures have been validated and that they are regularly checked.
Incident respons	The organisation must have a security incident management plan.
Mobility	The organisation should have complete centralised documentation relating to security, which is updated on a regular basis.

Cross-Border Transfers of Personal Data

Personal data can move freely within the European Union, as long as the European Data Privacy Directive (95/46/EC) is observed. Indeed, all Member States apply the same level of protection when processing personal data.

Outside the European Union, only transfers to countries ensuring a level of protection equal to that which is offered on EU territory are authorised. The European Commission has recognised an adequate level of protection for the following countries: Switzerland, Canada, Argentina, the United States (if the recipient has accepted the “Safe Harbor Principles”), Guernesey and the Isle of Man.

If the country of final destination of the data is not included in the European Commission’s list, the controller may ensure adequate protection through a contract. This contract is binding for the individual transferring the data and for the one receiving it, and that contains sufficient safeguards with respect to data protection. In Belgium such a contract has to be authorised by Royal Decree, following the opinion of the Commission for the Protection of Privacy. To help the controller in this process, the European Commission has drawn up standard contractual clauses, which are automatically considered as sufficient safeguards for data protection.

A multinational may establish rules for the international transfer of data within its corporate group. All entities of the enterprise have to observe these rules. Binding Corporate Rules are considered as adequate safeguards for personal data protection after approval by the national data protection authorities.